GitHub Advisory DatabaseGHSA-M833-87VF-576Covirt-engine Logs Plaintext Passwords To File
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
7.2 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
68.3%
ovirt-engine before version 4.1.7.6 with log level set to DEBUG includes passwords in the log file without masking. Only administrators can change the log level and only administrators can access the logs. This presents a risk when debug-level logs are shared with vendors or other parties to troubleshoot issues.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.ovirt.engine.sdk:ovirt-engine-sdk-java | lt | 4.1.7.6 |
References
access.redhat.com/errata/RHEA-2017:3138
bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15113
gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commitdiff;h=f4a5d0cc772127dbfe40789e26c4633ceea07d14;hp=e6e8704ac9eb115624ff66e2965877d8e63a45f4
github.com/advisories/GHSA-m833-87vf-576c
nvd.nist.gov/vuln/detail/CVE-2017-15113
web.archive.org/web/20210124121521/https://www.securityfocus.com/bid/101933/
Related
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
7.2 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
68.3%